APIs are critical to security

peoplewhat I learned trying to discover useful APIs

Motivation for that talk

- Working on Incident Response on a daily base

- Wide variety of tools in use

- Very important data is processed by Security people

- Developing / contribute some open source tools

Agenda

- What is an API?

- Why do IR teams need APIs?

- Requirements to an API?

- How I approached it?

- The Good

- The Bad

- The Ugly

- What can you do?

Types of APIs

- Libraries - Operating systems - Remote APIs

- Web APIs

Why do Security people need APIs

- Cyber requires different sources of information to ...

- Not one tool to rule them all

- Different destinations to prevent badness

- (Interact with Systems / devices)

Logs

Sandbox Sandbox Sandbox

Ticket

System

Virustotal Domaintools etc

Logs

Sandbox Sandbox Sandbox

Ticket

System

Virustotal Domaintools etc

API collection / metadata

What is a good API?

Availability of API / interfaces

Documentation

Versioned API

Nothing bugs more than an API endpoint

change that breaks scripts / workflows

Sample data so people can play

Reference implementation

RESTful

Makes it easier for everyone involved

scalable

- API needs to grow

- give feedback of implemented rate limiting

Security built in

- encryption

- logging

- authentication

Pyramide of API

Sample Data

Versions

Documentation

Availability of an API

How I approached it

- Wrote down every tool I used during a day

- Answered following questions- Am I the only one using the tool / database?

- Does the tool has an API?

- Where is the API documentation?

The Good

- Virustotal

- Cuckoo

- New Misp API

The Bad (with reasons)

- MISP (old Api)- API documented, but not 100 % accurate

- manual effort to keep it updated

- no samples for every endpoint available

- Timesketch- Api.py available

- No documentation

- No examples

- But: python api wrapper

The Ugly

- Proxy provider had a public facing site

- Used an public facing API

- was discovered and documented

- was used among security people

- silently very hard rate limiting

https://github.com/deralexxx/security-apis

What can you do?

- make it a hard requirement for - every commercial security tool you

buy

- every security tool you develop

inhouse

- every security tool you contribute to

- contribute to the github

repository- tools you developed

- tools you use

- other tools

- Open issues for tools you use

with the vendor / developer

Q&A

Description

More and more Security tools are introduced in the cyber eco system which

increases the complexity dramatically. To combat that - there are basically

two ways to scale:

a) go for a “one tool to rule them all” approach

b) make use of APIs and connect them

For the option b the first step is to collect all tools that are available and discover

if and what APIs these tools have. During a period of several months, I did

that and open sources that list to github

(https://github.com/deralexxx/security-apis).

Weaponized with that list, it is easier for security folks to do an inventory of their

capabilities as well as requirements for future security tools to

Requirements to an API

- documented- (available for everyone)

- Examples- sample files so it is not mandatory to install tool xyz to write an integration

- sample implementations to interact with the API

- security built in- encryption

- access control

- logging what was accessed

- ...

TODO

API memes